Socket for GitHub Actions
Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for your open source dependencies. It is easy to integrate Socket into your Github Actions to provide an extra layer of security against Supply Chain Attacks.
Adding Socket to your Github Actions Workflow
Create your Socket Environment variables
- Create a Socket API Key (Directions)
- Log into your Github Org
- Set up your Action Secret at either the Repo or Org level
- For the repo level
- Go to Settings
- Secrets and variables
- Actions
- New repository secret
- For the repo level
Setup the Github Actions Workflow
The Action Workflow currently uses the auto generated Github Actions token based on the permissions that are requested in the Workflow. The sample Workflow Yaml can be customized to your needs. It currently runs on every push and issue_comment type event.
- Go to your repo
- Create a new file with the name
.github/workflows/socket.yml - Add in the Socket Actions Yaml from below.
name: socket-security-workflow
run-name: Socket Security Github Action
on: [push, issue_comment, pull_request]
jobs:
socket-security:
permissions:
issues: write
contents: read
pull-requests: write
runs-on: ubuntu-latest
if: ${{ (github.event_name == 'push' && format('refs/heads/{0}', github.event.repository.default_branch) == github.ref) || github.event_name == 'pull_request' || github.event_name == 'issue_comment'}}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: ${{ github.event_name == 'pull_request' && 2 || 0 }}
- name: Get changed files
id: changed-files
run: |
if ${{ github.event_name == 'pull_request' }}; then
echo "changed_files=$(git diff --name-only -r HEAD^1 HEAD | xargs)" >> $GITHUB_OUTPUT
else
echo "changed_files=$(git diff --name-only ${{ github.event.before }} ${{ github.event.after }} | xargs)" >> $GITHUB_OUTPUT
fi
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Get PR State
if: github.event_name == 'pull_request'
run: echo "EVENT_ACTION=${{ github.event.action }}" >> $GITHUB_ENV
- name: Install Socket CLI
run: pip install socketsecurity --upgrade
- name: Check if Default Branch
if: ${{ always() && format('refs/heads/{0}', github.event.repository.default_branch) == github.ref }}
run: echo "DEFAULT_BRANCH=1" >> $GITHUB_ENV
- uses: actions/github-script@v7
id: get_pr_data
with:
script: |
let data = (
await github.rest.repos.listPullRequestsAssociatedWithCommit({
commit_sha: context.sha,
owner: context.repo.owner,
repo: context.repo.repo,
})
).data[0];
if (data === undefined) {
data = {
'number': null,
'title': null
}
}
return data;
- name: Save Pull Request Number
run: |
echo "PR_NUMBER=${{ fromJson(steps.get_pr_data.outputs.result).number || github.event.issue.number || github.event.number }}" >> $GITHUB_ENV
- name: Run scan
env:
SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
GH_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
CHANGED_FILES=$(echo "${{ steps.changed-files.outputs.changed_files }}" | tr " " "\n")
FILES=""
while IFS= read -r line; do
FILES="$FILES\"$line\","
done <<< "$CHANGED_FILES"
FILES=$(echo $FILES | sed 's/,*$//')
socketcli --files "[$FILES]" --scm github --repo ${{ github.event.repository.name }} --branch "${{ github.ref_name }}" $(if [ ! -z $DEFAULT_BRANCH ]; then echo "--default_branch"; fi) --pr_number $(if [ -z $PR_NUMBER ]; then echo 0; else echo $PR_NUMBER;fi) --committer "$GITHUB_ACTOR" --commit_message "$COMMIT_MESSAGE" --target_path $GITHUB_WORKSPACE
Updated 14 days ago